break-in attempt in my machine

Kevin O'Gorman kogorman at gmail.com
Thu Sep 1 04:44:11 UTC 2016 

Another data point.  I've got two machines, listening for ssh on two
different arbitrary ports.  I took a look at /var/log/auth.log on both
machines, and found bad stuff on both.  Nothing bad happened, because of
other measures, but there's certainly more activity now than I though
there'd be.  Here are the snippets of bad stuff:

Aug 29 02:36:56 Plato sshd[15693]: Bad protocol version identification
'\003' from 108.175.157.187 port 64816
Aug 29 05:09:20 Plato sshd[24656]: Bad protocol version identification
'\003' from 75.145.88.253 port 58685
Aug 29 05:09:20 Plato sshd[24657]: Bad protocol version identification
'\003' from 75.145.88.253 port 58707
Aug 29 05:09:21 Plato sshd[24658]: Bad protocol version identification
'\003' from 75.145.88.253 port 58728
Aug 29 05:44:01 Plato sshd[26704]: Bad protocol version identification
'\003' from 99.252.214.204 port 65191
Aug 29 05:44:01 Plato sshd[26710]: Bad protocol version identification
'\003' from 99.252.214.204 port 65206
Aug 29 05:44:02 Plato sshd[26711]: Bad protocol version identification
'\003' from 99.252.214.204 port 65216
Aug 31 10:31:19 Plato sshd[20442]: Bad protocol version identification
'\003' from 185.93.185.235 port 51162

and

Aug 29 02:36:59 camelot-x sshd[5250]: Bad protocol version identification
'\003' from 108.175.157.187 port 64815
Aug 29 05:08:21 camelot-x sshd[6895]: Bad protocol version identification
'\003' from 184.68.81.210 port 52326
Aug 29 05:08:21 camelot-x sshd[6896]: Bad protocol version identification
'\003' from 184.68.81.210 port 52353
Aug 29 05:08:21 camelot-x sshd[6897]: Bad protocol version identification
'\003' from 184.68.81.210 port 52375
Aug 29 05:43:10 camelot-x sshd[7271]: Bad protocol version identification
'\003' from 23.91.71.35 port 62831
Aug 29 05:43:10 camelot-x sshd[7272]: Bad protocol version identification
'\003' from 23.91.71.35 port 62849
Aug 29 05:43:10 camelot-x sshd[7273]: Bad protocol version identification
'\003' from 23.91.71.35 port 62857
Aug 29 13:19:09 camelot-x sshd[13493]: Bad protocol version identification
'GET / HTTP/1.1' from 79.1.32.105 port 50161
Aug 29 19:10:12 camelot-x sshd[17326]: Bad protocol version identification
'GET / HTTP/1.1' from 187.110.211.33 port 37036
Aug 30 21:20:29 camelot-x sshd[27845]: Bad protocol version identification
'GET / HTTP/1.1' from 38.122.48.158 port 36990
Aug 31 07:48:48 camelot-x sshd[2885]: Bad protocol version identification
'GET / HTTP/1.1' from 167.249.144.2 port 44935
Aug 31 08:29:30 camelot-x sshd[3313]: Bad protocol version identification
'GET / HTTP/1.1' from 181.118.134.45 port 42856
Aug 31 12:58:45 camelot-x sshd[6483]: Bad protocol version identification
'GET / HTTP/1.1' from 203.159.10.103 port 49502
Aug 31 14:14:10 camelot-x sshd[7309]: Bad protocol version identification
'GET / HTTP/1.1' from 186.211.108.26 port 41155

Running whois(1) on these IP numbers yields a variety of ISPs from all over
the world.

I don't know what the \003 things are doing.  The GET is a web page request.
My web server is on port 80, but the query seen above just gets you a
static page with no links.  But no matter what you request,
none of the pages take any input other than clicks, so I'm not worried. The
text for page they requested reads
It works!

*This far, anyway.*

This is the default web page for the kosmanor.com server.

You will need a more specific URL to see any content.





On Mon, Aug 29, 2016 at 9:33 PM, Karl Auer <kauer at biplane.com.au> wrote:

> On Tue, 2016-08-30 at 13:07 +0900, Joel Rees wrote:
> > And my thought there was that skript kiddies are no longer the only
> > people we should worry about.
>
> Here's a lesson learned from a zillion hours of training people: Don't
> try to do everything at once.
>
> The OP had a specific problem, recognisable as script kiddy attacks. My
> response addressed that, and anyone following through on the first few
> of my suggestions will have a robust system, which will see very few
> script kiddy attacks if any, and those they do see will not succeed.
>
> They will have a robust system; not an impervious one.
>
> > It's a good list to get started, but we should really be encouraging
> > users to understand what logging in means, how it is done, how these
> > attacks use our computers against us, and so forth.
>
> Well, you go do that. But please don't do it by muddying the waters
> around what was a simple problem with easy-to-implement solutions.
>
> When someone wants to learn how to make toast, you don't immediately
> try to sell them a fully kitted-out professional kitchen and start
> telling them how vitally important it is to understand everything about
> the use and abuse of automated chrome-plated fuel-injected turnip-
> twaddlers.
>
> > A quick browse through /etc/services is amusing.
>
> Pick a random port number >1024 and the chances are very good that it
> will be a port number you can use. Simple advice, easily followed.
> Unlike "do a thousand hours of research to locate the optimally suited
> set of port numbers".
>
> > Well, if you can afford to go all-IPv6 now, I think you've just told
> > the attackers you have something interesting in you network.
>
> What? Who said "all-IPv6"? If you can access your network via IPv6, as
> an increasing proportion of the civilised world can, then turning off
> IPv4 access to ssh is a simple and VERY effective way to stop script
> kiddies (and a pretty large number of other attacks, too). So far,
> anyway.
>
> Regards, K.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer at biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/ubuntu-users
>



-- 
Kevin O'Gorman
#define QUESTION ((bb) || (!bb))   /* Shakespeare */

Please consider the environment before printing this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20160831/0b4993dd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 441 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20160831/0b4993dd/attachment.gif>

More information about the ubuntu-users mailing list